Researchers explained the attack is carried out via a highly personalized email containing Word macros that could download and install the malware.

“During our analysis, we found that many of the lures and subject lines of the emails used references to issues with supported purchases on the company’s website and were targeted at individuals who may be able to provide support for those issues,” said Proofpoint.

The attackers use subject lines that include the recipient’s domain, such as:

[recipient’s domain] Support: Products disappear from the cart during checkout

Need help with order on [recipient’s domain]

Duplicate charges on [recipient’s domain]

Source: Proofpoint

Once the malware is installed, researchers determined August is capable of stealing and uploading files with specific extensions to a command and control (C&C) server; grabbing credentials; determining the presence of common security tools; and using simple encryption.

“The malware itself is obfuscated while the macro used in these distribution campaigns employs a number of evasion techniques and a fileless approach to load the malware via PowerShell,” the researchers noted.

“All of these factors increase the difficulty of detection, both at the gateway and the endpoint,” said Proofpoint.

Per their investigation, researchers said the campaign appears to be linked to TA530 – an actor or cybercrime group that they have previously cited for their highly personalized campaigns.

“While this actor is largely targeting retailers and manufacturers with large B2C sales operations, August could be used to steal credentials and files in a wide range of scenarios,” warned Proofpoint.